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I .   INTRODUCTION 

With  worldwide  concern  about  the  energy  situation,  many  of  the 
advanced  industrial  countries  of  the  world  are  now  planning  for  a  rapid 
build-up  in  the  share  of  electricity  being  generated  by  nuclear  power. 
It  is  estimated  that  between  30  and  50  percent  of  the  total  electricity 
required  by  the  end  of  the  century  will  be  generated  by  nuclear  power . 1 
The  modern  power  reactors  being  designed  and  built  to  satisfy  this 
demand  for  electricity  are  generally  large  and  complex.   For  this  reason 
the  nuclear  industry  has  now  incorporated  the  use  of  a  digital  computer 
at  many  power  stations  throughout  the  world  in  an  attempt  to  simplify 
the  operation  of  the  plant  and  thereby  enhance  the  safety  of  the  plant. 

Generally,  the  computer  is  used  to  perform  automatic  system  moni- 
toring, plant  performance  calculations  and  rapid  data  recording.   In 
this  manner  the  computer  functions  in  an  advisory  capacity  to  assist  the 
reactor  operator.   In  some  countries  the  reactor  operation  has  been 
simplified  further  by  expanding  the  role  of  the  computer  to  include  the 
automatic  control  of  the  power  plant  and  some  of  its  auxiliary  machinery. 
In  Germany  the  computer  is  now  planned  to  perform  a  role  of  major  impor- 
tance in  the  safety  system  of  two  reactors  currently  under  construction. 
Thus,  the  degree  of  automation  at  nuclear  power  stations  has  been  in- 
creasing steadily  during  the  last  decade.   What  then  is  the  status  of 
the  completely  automatic  reactor  instrumentation  and  control  system? 

This  paper  will  review  the  present  status  of  various  computer 
configured  power  reactors  in  existence  and  being  developed  in  the  world 
today.   The  major  functions  performed  by  the  computer  at  each  installa- 
tion will  be  discussed  and  the  unique  features  of  each  computer 


configuration  will  be  identified  specifically.   The  major  difficul- 
ties encountered  and  the  degree  of  success  of  each  configuration 
currently  in  operation  will  be  pointed  out.   Finally  a  comparison  of  the 
automated  functions  of  each  reactor  control  system  previously  discussed 
will  be  made  with  general  conclusions  as  to  the  future  role  of  on-line 
computer  systems  in  nuclear  power  stations. 


II.   BACKGROUND 

The  operation  of  power  reactors  requires  that  the  operator  monitor 
and  record  in-core  temperatures,  reactor  power  levels,  reactor  period 
data,  control  rod  position  indication  data,  auxiliary  machinery  status, 
coolant  and  steam  flow  rates  and  reactor  pressures  plus  the  status  of 
various  alarms  and  air  monitors.   Additionally  the  operator  must  make 
calculations  for  reactivity,  xenon  poisoning,  rod  calibration,  flux 
mapping,  power  distribution  and  fuel  management.   In  order  to  reduce  the 
complexity  and  improve  the  safety  of  plant  operations,  on-line  digital 
computers  are  now  included  as  an  integral  component  of  most  large 
nuclear  power  stations.3 

The  degree  to  which  the  computers  are  utilized  in  nuclear  power 
stations  may  be  functionally  categorized  as  monitoring,  control  and 
protection  applications. 

Until  recently,  the  primary  purpose  of  on-line  digital  processing 
systems  was  that  of  a  data  collecting  or  monitoring  nature,  while 
control  was  left  to  the  more  conventional  analog  methods.   The  reluc- 
tance to  permit  participation  of  digital  computers  on  a  more  active 
basis  in  the  nuclear  reactor  control  systems,  particularly  in  the  United 
States,  was  based  mainly  upon  low  reliability.1*   In  the  nuclear  industry 
the  safety  requirements  have  been  traditionally  very  stringent  and  a 
device  with  a  low  reliability  could  not  be  used  for  any  essential 
purpose  in  the  operation  of  the  reactors.   Therefore  the  reactors  in 
some  countries  use  the  computer  solely  for  monitoring  purposes. 

Power  reactors  are  now  being  built  and  operated  in  Sweden,  Pakistan, 
England,  Canada  and  France;  the  designs,  of  which,  include  the 


utilization  of  a  process  computer  for  the  direct  digital  control  of  the 
reactor  and  other  important  plant  variables.   These  reactor  designs  use 
aerospace  reliability  criteria  and  technology,  including  mathematical 
assessment  of  the  mean  time  between  failures  (MTBF) . 3   High  reliability 
is  achieved  by  the  use  of  redundancy  and  testing.   In  these  designs, 
the  computer  is  an  essential  component  of  the  control  systems. 

Conventional  analog  circuits  with  relay  or  solid-state  logic  cir- 
cuits are  used  in  the  safety  systems,  which  are  sometimes  identified  as 
protection  systems,  of  today's  power  reactors.   The  safety  features 
afforded  by  the  use  of  a  computer  at  power  stations  today  are  generally 
limited  to  advising  the  operator  of  an  alarm  and  the  probable  cause  of 
the  alarm.   The  newly  designed  Canadian  reactors  are  an  exception,  how- 
ever, since  the  computer  is  used  to  initiate  a  reactor  trip  condition 
as  an  added  measure  to  augment  the  analog  safety  system. 

A  survey  of  the  various  types  of  power  reactors  which  use  digital 
computers  has  been  conducted  and  a  detailed  description  of  the  different 
computer  schemes  used  to  provide  monitoring,  control  and  protection 
functions  is  presented  in  sections  III,  IV,  and  V  of  this  report.   The 
power  reactors  built  in  other  countries  which  are  not  mentioned  in  this 
report  tend  to  be  completely  analog  systems  although  extensive  research 
in  the  area  of  digital  control  of  reactors  is  being  conducted  in  Switz- 
erland, Belgium  and  Japan.  3'5'6 


III.   MONITORING  SYSTEMS 

SEQUOYAH  (UNITED  STATES) 

The  Sequoyah  nuclear  power  plant  is  one  of  the  largest  nuclear 
stations  being  built  in  the  United  States.   It  is  being  constructed  by 
the  Tennessee  Valley  Authority  on  the  west  shore  of  the  Chickamouga 
Reservoir,  approximately  18  miles  northeast  of  Chattanooga,  Tennessee. 
The  plant  will  use  twin  pressurized  water  reactors  which  have  been 
designed  by  the  Westinghouse  Electric  Corporation.   The  reactors  are 
rated  at  3,423  MWt  each  and  commercial  operation  is  now  scheduled  for 
December  1974. 7  The  plant  will  use  the  monitoring  scheme  depicted  in 
Figure  3-1.   Although  the  computer  is  an  effective  and  valuable  opera- 
tional tool,  the  plant  is  designed  on  the  basis  that  sustained,  full 
power  operation  does  not  depend  on  the  availability  of  the  computer. 
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Figure  3-1 
Simplified  Block  Diagram  of  Computer  System 


The  protection  system  measures  dominate  nuclear  plant  process 
variables  and  provides  continuous  analog  information  to  the  operator. 
Additionally  it  provides  approximately  20  reactor  trip  functions  which 
stem  from  the  measurements  of  primary  system  pressures,  flows  and 
levels,  nuclear  and  thermal  overpower,  and  secondary  plant  pressures, 
flows  and  levels.   The  bistable  output  of  each  channel  of  the  protection 
system  is  coupled  to  the  computer  for  data  processing,  printing  and 
alarm  indication. 

The  sensors  from  the  control  rod  position  monitoring  system  pro- 
vide information  to  the  computer  which  monitors  deviations  between  rods 
in  a  group  or  bank,  and  actuates  an  alarm  if  the  deviation  exceeds  pre- 
established  limits. 

The  in-core  instrumentation  system  provides  information  on  the 
neutron  flux  distribution  and  the  fuel  assembly  outlet  temperature  at 
selected  locations  within  the  core.  This  instrumentation  system  provides 
only  for  acquiring  data  and  performs  no  operational  control  or  safety 
function.   Information  thus  obtained  makes  it  possible  to  confirm 
reactor  core  design  parameters  and  calculated  hot  channel  factors. 

The  component  monitoring  system  provides  information  to  the  com- 
puter on  the  operational  status  of  various  pumps,  valves,  motors  and 
other  reactor  components.   The  data  is  stored  and  then  printed  on  the 
log  sheets  at  prescribed  intervals  of  time. 

The  site  and  perimeter  air  monitors  transmit  data  to  the  plant  com- 
puter and  the  chart  recorders  for  data  recording  and  alarm  indication. 

The  Sequoyah  computer  accomodates  975  analog  input  signals  and  600 

digital  input  signals.   The  working  programs  performed  by  the  computer 
include  analog  and  digital  scanning,  limit  supervision  and  off -normal 


condition  alarms.   Also  included  are  protection  system  operation  moni- 
toring, flux  distribution  and  hot  channel  factor  calculations  and 
secondary  plant  operational  guidance  and  performance  calculations. 

Specific  information  regarding  the  programming  technique  used  was 
not  available  to  the  author.   However,  it  is  envisioned  that  a  time- 
sharing technique  is  utilized  since  this  would  enable  the  operator  to 
use  the  on-line  computer  for  diagnostic  tests  and  general  off-line 
applications. 

This  station  is  currently  undergoing  total  system  checkout  and 
operational  performance  data  on  the  monitoring  system  is  not  available. 

CONNECTICUT  YANKEE  (UNITED  STATES) 

The  Connecticut  Yankee  nuclear  power  station  which  was  built  by 
the  Connecticut  Yankee  Power  Company,  is  located  in  Haddam,  Connecticut. 
The  plant  uses  a  pressurized  water  reactor  which  was  provided  by  the 
Westinghouse  Electric  Corporation  and  is  currently  operating  at  467  MWe, 
To  maintain  effective  control  and  perform  the  constant  measurements 
needed  for  efficient  plant  operation  the  station  is  equipped  with  a 
monitoring  and  information  system  based  on  an  IBM  1800  data  acquisition 
system  with  four  on-line  printers.8  This  power  station  is  smaller  than 
the  Sequoyah  plant  and  therefore  less  analog  and  digital  inputs  are 
required  for  the  monitoring  system.   The  simplified  diagram  shown  in 
Figure  3-1  also  applies  for  this  station. 

There  are  317  analog  inputs  and  237  digital  inputs  to  the  computer. 
The  analog  inputs  include  signals  from  the  protection  system,  48  thermo- 
couples that  measure  in-core  temperatures,  linear  voltage  differential 
transformers  that  measure  control  rod  positions,  amplifiers  which  are 
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connected  to  the  in-core  flux  detectors,  bearing  thermocouples  and  many 
other  sensors  including  site  and  air  monitors.   The  digital  inputs  in- 
clude 45  contact  sense  inputs  to  indicate  the  limiting  positions  of 
the  control  rods,  contact  sense  inputs  for  in-core  flux  detection  and 
path  indications,  several  inputs  to  check  auxiliary  equipment  operating 
conditions  and  status,  and  inputs  from  two  console  keyboards  which 
enable  digital  interpretation  of  operator  requests. 

The  digital  outputs  are  used  to  actuate  main  control  board  annun- 
ciator panel  lights  which  indicate  specific  computer  originated  alarms, 
to  control  two  NIXIE  tube  displays  and  to  actuate  any  of  four  printers. 

A  time-sharing  executive  programming  technique  is  used  in  this 
system  which  generates  a  wide  range  of  reports  to  be  produced  as  the  on- 
line data  gathering  function  proceeds.   The  executive  program,  function- 
ing as  a  programmed  timer,  controls  the  timing  of  various  process 
analog  scan  programs.   Typical  of  this  type  is  the  fast  scan  program 
which  causes  132  analog  points  to  be  read.   From  this  data,  one  minute 
averages  and  five  minute  averages  are  calculated.   Typical  of  informa- 
tion monitored  at  this  point  are  those  inputs  that  permit  the  calcula- 
tion of  plant  power  output  in  thermal  units  based  on  a  heat  balance 
around  the  steam  generators.   Every  120  milliseconds,  108  digital  inputs 
are  scanned  and  brought  into  the  memory.   The  data  from  each  new  input 
is  compared  with  data  from  the  previous  scan.   When  there  is  a  change 
a  sequence  of  events  message  is  printed  to  alert  the  main  control  board 
operator.   This  message  indicates  the  time  the  reading  was  taken,  the 
identification  of  the  specific  piece  of  equipment  and  the  direction  of 
the  change,  i.e.,  high  or  low,  on  or  off,  etc. 
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Other  programs  are  maintained  on  a  magnetic  disk  and  are  brought 
into  the  central  processing  unit  by  the  executive  program.   These  pro- 
grams are  used  to  provide  trend  reports,  an  alarm  indication  if  a  rod  is 
not  in  step  with  the  rod  bank,  post  incident  reports,  limit  supervision 
and  plant  performance  calculations. 

This  computer  system  was  valuable  to  the  plant  management  during 
the  critical  checkout  phases,  and  continues  to  be  so.8 

DOUGLAS  POINT  (UNITED  STATES) 

The  Potomac  Electric  Power  Company  is  currently  planning  to  build 
a  nuclear  power  station  near  Douglas  Point,  about  30  miles  south  of 
Washington,  D.C.   This  station  is  to  be  distinguished  from  the  power 
station  in  Canada  which  is  also  known  as  the  Douglas  Point  nuclear 
power  station. 

The  Potomac  Electric  Power  Company  is  planning  to  use  two  boiling 
water  reactors  at  the  new  station.   The  reactors  are  to  be  provided  by 
the  General  Electric  Company  and  each  reactor  is  planned  to  produce 
1,178  MWe.   Construction  of  the  facility  is  expected  to  begin  in  March 
of  1975  pending  State  and  Federal  approvals  with  completion  of  the  first 
unit  in  1980. 9  This  plant  will  also  use  the  basic  monitoring  scheme 
shown  in  Figure  3-1  but  with  noticeable  improvements  in  the  method  of 
displays  and  the  addition  of  a  new  computer  function,  turbine  control. 

The  latest  state  of  the  art  technology  will  be  used  to  reduce  the 
number  of  display  devices.  Color  cathode  ray  tube  (CRT)  displays  will 
be  employed  to  increase  operator  comprehension  of  the  plant  variables, 
improve  operator  response  time  and  reduce  operator  fatigue.  The  color 
CRT  displays  (two  per  reactor  unit)  will  display  plant  parameters  in  the 
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form  of  bar  charts,  graphics,  digital  readouts  and  alpha-numeric  alarms. 
The  displays  will  have  a  data  switching  network  and  in  the  event  that 
one  CRT  fails  the  data  can  be  shifted  manually  or  automatically  to  a 
standby  CRT  display.   These  new  consoles  are  also  planned  to  be  used  at 
other  stations  which  have  boiling  water  reactors,  such  as  the  Berwick 
station  which  is  being  constructed  in  Pennsylvania. 

The  second  improvement  to  the  on-line  processing  system  is  the  ex- 
tension of  the  digital  processing  functions  to  include  digital  control 
of  the  turbine.   This  control  function  is  a  supplementary  feature  of  the 
monitoring  system.   The  automatic  turbine  supervisory  and  start-up  mode 
of  the  digital  electro-hydraulic  control  features  permit  the  turbine 
start-up  with  a  minimum  number  of  operator  actions.   This  system  will 
enable  the  turbine  generator  to  be  rolled  from  turning  gear  to  synchron- 
ous speed  and  locked  into  the  grid  automatically. 

The  computer  system,  one  per  reactor  unit,  will  provide  for  scan- 
ning, performance  calculations,  logging  and  alarming  of  plant  functions. 
In  addition  it  will  form  the  basis  for  gathering  and  manipulating  plant 
information  for  the  CRT  display. 

WYLFA  (GREAT  BRITAIN) 

The  Wylfa  nuclear  power  station  which  became  fully  operational  in 
1969  employs  two  MAGNOX  gas  cooled  reactors  and  was  the  first  nuclear 
power  station  in  Great  Britain  to  make  extensive  use  of  the  digital  com- 
puter.11'12 The  previous  application  of  the  computer  to  power  stations 
in  Great  Britain  was  at  the  Oldbury  station  where  the  computer  was  used 
for  routine  logging  and  alarm  analysis. 
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The  functions  performed  by  the  data  processing  system  at  the  Wylfa 
plant  include  routine  logging  of  plant  variables,  post  incident  analysis 
and  logging,  alarm  analysis  and  display,  limit  supervision,  plant  per- 
formance calculations,  core  performance  calculations  and  automatic 
turbine  start-up.   This  computer  system  utilizes  a  CRT  display  to  obtain 
centralized  control  of  the  plant  operations. 

Both  of  the  reactors  at  the  Wylfa  station  use  the  single  computer 
system.   This  digital  processing  system  is  not  indispensable  since  both 
units  can  run  for  several  hours  at  constant  load  if  the  computer  should 
fail.   However,  to  increase  the  reliability  of  the  station  a  standby 
computer  with  automatic  switching  features  is  provided,  but  this  com- 
puter is  normally  used  for  off-line  calculations.   A  schematic  diagram 
of  the  computer  configuration  is  provided  in  Figure  3-2.   This  config- 
uration requires  elaborate  highway  switching  functions  which  must  be 
programmed. 

The  computer  system  at  the  Wylfa  station  has  been  proven  to  be  very 
reliable  with  availabilities  exceeding  the  manufacturer's  specified 
value  of  99.8  percent  as  shown  in  Table  3-1. 12 

WURGASSEN  (GERMANY) 

The  Wurgassen  nuclear  power  station  uses  a  boiling  water  reactor. 
This  power  plant  produces  640  MWe  and  full  power  operation  was  initiated 
in  1972. 13  Figure  3-3  shows  the  general  outlay  of  the  standard  on-line 
computer  system  configuration  which  is  used  at  this  station  as  well  as 
many  other  stations  in  Germany  which  use  boiling  water  reactors. 
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Wylfa  Computer  Configuration  Schematic 
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Table  3-1 
Reliability  of  Wylfa  Computer  System  During  a  52  Week  Period 

number  of  faults 


Processor: 

Transistors 
Shorted  Connector 
Relay  Contact 

2 
1 

1 

Drums: 

Maladjustment 
Transistors 
Potentiometers 
Heads 

1 
4 
1 
3 

Display  Units: 

Transistors 
Diodes 

Vacuum  Tubes 
Capacitors 

5 

2 

18 

1 

Scanners : 

Transistors 
Capacitors 
Transformers 
Reed  Relays 
Interposing  Relays 

2 

1 
48 

1 

Total  number  of  faults 

93 

Total  system  down  time 

3.1  hours 

Availability 

99.96% 
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Figure  3-3 
Wurgassen  Computer  System  Configuration 


The  computer  system  uses  an  AEG  6050  computer  which  is  comparable 
to  the  GE/PAC  4020  computer  having  core  memory  of  32,000  words.   The 
drum  memory  size  is  256,000  words.   The  processor  accomodates  approxi- 
mately 1,000  analog  inputs  and  1,000  digital  inputs.   With  this  exten- 
sive number  of  inputs  available,  primarily  from  the  in-core  instrumenta- 
tion, it  is  very  important  that  a  sufficient  number  of  values  be  read  at 
a  high  speed.   The  analog  inputs  are  categorized  into  4  scan  classes, 
with  a  scanning  every  5,  15,  or  60  seconds.   The  scan  rate  of  the 
digital  inputs  is  883,000  bits/second. 
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The  master  computer  program  consists  of  three  blocks  of  individual 
programs  which  are  used  for  core  performance  calculations,  plant 
performance  calculations  and  administration  of  data. 

Core  performance  calculations  are  the  most  important  functions 
performed  by  the  computer  in  this  design.   The  computer  determines  the 
three  dimensional  power  distribution  together  with  thermal  limit  calcu- 
lations.  In  this  manner  a  better  knowledge  of  the  power  distribution 
is  obtained  which  enables  the  operating  limits  on  the  critical  heat 
flux  ratio  and  the  maximum  heat  flux  to  come  closer  to  the  real  thermal 
limits  of  the  fuel. 

The  computer  determines  the  power  distribution  from  ionization 
chamber  readings,  thermo-hydraulic  measurements  and  control  rod  posi- 
tions using  expansion  techniques  to  cover  the  unmonitored  region 
between  detectors. 

In  addition  to  this  key  task,  various  other  calculations  are  per- 
formed.  Some  examples  are: 

(1)  Calibration  of  in-core  chambers, 

(2)  Control  rod  position  indication, 

(3)  Determination  of  variable  limits, 

(4)  Determination  of  exposure  distribution, 

(5)  Determination  of  fuel  isotopics, 

(6)  Determination  of  control  blade  and  in-core  chamber  exposure, 
and 

(7)  Xenon  poisoning  predictions. 

The  computer  also  performs  plant  performance  calculations  which 
determine  steam  flow,  plant  efficiency,  electrical  power  and  condenser 
state. 
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The  administrative  program  generates  trend  logging,  alarm  indica- 
tion, routine  logging  and  post  incident  analysis. 

In  this  reactor  design,  the  basic  monitoring  functions  have  been 
expanded.   The  computer  is  programmed  as  an  open  loop  controller  so  that 
the  operator  is  automatically  advised  of  the  adjustments  that  are 
necessary  to  maintain  the  plant  operation  at  peak  efficiency. 

OBRIGHEIM  (GERMANY) 

The  use  of  the  computer  as  an  open  loop  controller  has  also  been 
incorporated  in  the  design  of  many  pressurized  water  reactors  in 
Germany,  such  as  at  the  Obrigheim  nuclear  power  station  which  currently 
produces  300  MWe.   The  computer  system  has  been  in  operation  with  the 
reactor  loaded  since  July  1968.  15   It  has  essentially  the  same  computer 
configuration  as  previously  described  for  the  Wurgassen  station,  Figure 
3-3,  except  that  a  Siemens  300  data  processing  system  is  used. 

The  distinguishing  feature  of  this  design  is  the  extensive  opera- 
tional information  that  is  provided  automatically  to  the  operator.   Sum- 
maries of  the  supervisory  functions,  logging  functions,  core  performance 
calculations  and  plant  performance  calculations  that  are  performed 
automatically  are  provided  in  Tables  3-2,  3-3,  3-4,  and  3-5. 

The  design  approach  for  the  new  reactors  being  built  in  Germany 
is  based  upon  the  open  loop  controller  principles  just  described.   Cur- 
rently it  is  not  planned  to  expand  the  role  of  the  computer  to  that  of 
a  closed  loop  controller  in  the  future  German  reactor  designs.    This 
decision  results  from  cost  and  performance  considerations. 
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Table  3-2 

Supervisory  Functions  Employed  in  Obrigheim  Nuclear  Power  Station 

Reactor  coolant  system 

monitoring  of  reactor  coolant  pump  shaft  seals 

Steam  generators 

tube  plate  temperature  protection 
tube  failure  check 

-  heat-up  gradient 

activity  leakage  from  blowdown  lines 

Pressurizer 

start-up  and  shutdown  pressure  gradients 

Volume  control  system 

volume  control  tank  H2O  pressure  monitoring 
reactor  coolant  purification  rate  inlet  control 

Turbine 

barring  gear  operation  on  shutdown 

Component  cooling  loop 
activity  check 

-  regulation  of  spent  fuel  pit  cooling  water  temperature 

Ventilation  systems 

-  monitoring  of  air  handling  in  primary  shield  cooling  system 

-  monitoring  of  exhaust  air  filter  operation 

monitoring  of  reactor  building  and  annular  space  air  pressure 
quick-closing  damper  checking 

-  monitoring  trend  of  pressure  and  temperature  in  reactor  building 
monitoring  of  spray  system  in  reactor  building 

Purification  system 

monitoring  of  anion  exchanger  regeneration 

Condensate  pumps 

-  pump  wear 

Feed  heating  system 

tube  failure  checks 
air  removal  checks 

Feed  water  tank 

deaeration  checks 

-  pressure  drop  checks  in  the  event  of  a  reactor  trip 

Feed  pumps 

-  impeller  wear 
balancing  system  wear 

-  minimum  and  maximum  flow  checks 

-  emergency  feed  pump  minimum  pressure  checks 
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Table  3-3 

Logging  Functions 

Employed  in  Obrigheim  Nuclear  Power  Station 


-  fault  log 

post  incident  review 

-  switching  log 

-  operators  action  log 
analog  trend  log 

-  operating  daily  and  monthly  logs 
operating  time  log 
maintenance  work  log 
integrated  value  log 
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IV.   CONTROL  SYSTEMS 

MARVIKEN  (SWEDEN) 

The  Marviken  prototype  power  plant  which  has  been  built  in  Sweden 
to  produce  200  MWe  uses  a  boiling  heavy  water  reactor  with  internal 
superheating.17  This  is  a  single  cycle  system  with  reactor  steam  going 
directly  into  the  turbine. 

Since  the  Marviken  station  was  the  first  full-scale  prototype  of 
this  kind  to  be  built  the  required  degree  of  automation  for  the  plant 
operation  was  investigated  in  detail.   Manual  control  with  conventional 
relay  logic  was  compared  with  on-line  computer  control.   It  was  found 
that  an  on-line  computer  control  would  give  the  best  flexibility  espe- 
cially when  altering  the  condition  of  the  plant  cycle  from  saturated 
steam  to  superheated  steam. 

There  are  32  superheater  channels  spread  out  over  the  reactor  core. 
The  throttle  valves  in  the  channels  must  be  set  in  positions  which  give 
the  same  output  temperature  in  all  channels.   If  for  any  reason  the 
temperature  goes  up  in  one  channel,  not  only  the  valve  in  this  channel 
but  also  the  valves  in  the  surrounding  channels  must  be  adjusted.   The 
control  sequence  is  difficult  to  accomplish  manually  and  for  that  reason 
a  direct  digital  control  scheme  was  employed. 

A  block  diagram  of  the  computer  configuration  is  shown  in  Figure 
4-1. 

The  main  functions  of  the  computer  are: 

(1)  Indication  of  process  variables  such  as  temperature  or 
pressure, 

(2)  Printing  of  process  variables  and  operations, 

(3)  Alarm  annunciation  and  alarm  analysis, 
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(4)  Automatic  sequence  control  for  starting  up,  normal  running, 
refuelling  and  testing  of  machinery  and  valves, 

(5)  Automatic  setting  of  the  throttle  valves  in  the  superheater 
channels ,  and 

(6)  Calculation  of  channel  power. 

Indication  of  process  variables  such  as  temperature  or  pressure  is 
made  on  the  CRT  displays  instead  of  on  several  hundreds  of  indicating 
instruments.   Every  process  variable  or  analog  input  has  its  own  ident- 
ification code  consisting  of  three  figures,  one  letter  and  three 
figures.   The  alpha-numeric  identification  code  appears  on  the  CRT  fol- 
lowed by  the  measured  value  of  the  selected  process  variable.   These 
variables  may  be  printed  whenever  desired  by  the  operator.   Additional- 
ly, every  two  hours  the  200  process  variables  being  monitored  are  print- 
ed automatically  on  the  logging  typewriter  in  the  computer  room. 
Alarms  are  also  indicated  on  the  CRT  display  and  alarm  messages  are 
printed  on  the  typewriter  automatically. 

The  automatic  operation  of  the  station  requires  46  sequence  control 
programs  and  some  of  these  control  programs  require  intermittent  manual 
operations  before  the  automatic  sequence  is  completed.   After  being  ad- 
vised of  the  need  for  a  manual  operation  the  operator  initiates  a  pro- 
gram which  causes  the  computer  to  check  the  parameters  which  are  impor- 
tant for  the  next  sequence  of  events.   If  the  measured  values  exceed  the 
previously  specified  limits  the  operator  is  advised  of  an  error  condi- 
tion which  must  be  corrected  manually  before  the  automatic  sequencing 
can  be  continued.   For  every  operation  in  the  automatic  sequence  pro- 
grams there  is  a  list  of  conditions  which  must  be  fulfilled  before  the 
operation  is  performed. 
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Table  4-1 
Number  of  Programs  Required 
for  Automatic  Sequence  Control 


Start-up  8  programs 

Normal  running  1  program 

Shutdown  6  programs 

Refuelling  17  programs 

Tesing  of  machinery  and  valves  14  programs 

The  number  of  sequence  programs  required  for  the  various  automatic 
modes  of  operation  are  shown  in  Table  4-1. 

The  channel  power  is  calculated  by  means  of  the  in-core  flux  moni- 
toring system  which  uses  beta  current  detectors. 

The  computer  system  just  described  is  an  integral  part  of  the 
reactor  design  and  must  therefore  function  properly  when  the  reactor  is 
being  operated.   Since  redundancy  is  not  employed  in  the  computer  sys- 
tem, a  failure  in  this  system  will  cause  the  reactor  to  be  inoperable. 

This  station  was  closed  down  in  1970  and  an  assessment  of  the  per- 
formance of  the  digital  control  system  could  not  be  ascertained. 

KANUPP  (PAKISTAN) 

The  Kanupp  nuclear  power  station  uses  a  pressure- tube*  heavy  water 
moderated,  natural  uranium  reactor  which  was  designed  and  built  for  the 
Pakistan  Atomic  Energy  Commission  by  the  Nuclear  Energy  Project  of 
Canadian  General  Electric.18  This  power  plant  became  operational  in 
December  1972  and  produces  137  MWe.19 
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A  pair  of  digital  station  control  computers,  having  identical 
hardware  characteristics,  provide  the  following  functions:18 

(1)  Dual  channel,  direct  digital  control  of  reactor  power, 

(2)  Automatic  turbine  load  control, 

(3)  Flux  tilt  control, 

(4)  Fuel  channel  outlet  temperature  monitoring, 

(5)  Failed  fuel  activity  monitoring, 

(6)  Alarm  annunication, 

(7)  Thermal  power  calculation, 

(8)  Xenon  poison  calculation  and  prediction,  and 

(9)  Station  logging. 

The  neutron  flux  level  of  the  reactor  is  controlled  to  match  the 
turbine  demand  and  to  maintain  a  nominally  constant  steam  pressure  to 
the  turbine  during  power  generation. 

There  are  two  modes  of  plant  operation;  frequency  control  and  base 
load  operation.   When  operating  in  the  frequency  control  mode  the  tur- 
bine increases  or  decreases  its  power  output  during  frequency  deviations 
to  help  maintain  the  grid  at  its  desired  frequency  of  50  Hz.   During 
base  load  operation  the  plant  load  controller,  also  a  computer  function, 
acts  to  maintain  the  electrical  power  output  at  the  desired  value  by 
manipulating  the  setpoint  of  the  mechanically  actuated  turbine  governor. 
The  plant  power  output  still  responds  to  frequency  deviations  but  only 
momentarily  as  the  plant  load  controller  corrects  all  lengthy  deviations 
from  the  desired  power  output. 

The  reactivity  control  systems  can  be  divided  into  two  groups  based 
upon  operating  speed.   The  fast  acting  systems  include  (1)  moderator 
level  control  which  is  the  primary  method  of  reactivity  control  and 
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(2)  control  of  the  booster  and  absorber  rod  movement.   The  slow  acting 
systems  consist  of  continuous  on-power  refuelling  and  moderator  poison 
(boron)  concentration  adjustments.   The  fast  acting  systems  are  control- 
led by  the  computers. 

Fine  control  of  reactivity  is  effected  by  adjustment  of  moderator 
level.   Each  computer  regulates  its  own  moderator  level  control  valve. 
The  two  control  valves  are  installed  in  parallel  to  ensure  that  the 
channel  demanding  the  lower  power  will  always  be  in  control,  the  other 
channel  acting  as  a  backup.   Rod  movement  to  increase  reactivity  re- 
quires the  agreement  of  both  computers.   Either  computer  acting  alone 
can  move  the  rods  to  decrease  reactivity. 

The  controller  can  best  be  described  by  considering  it  to  consist 
of  two  control  loops  in  cascade  and  a  third  independent  loop. 

The  primary  or  outer  loop,  shown  in  Figure  4-2,  combines  measure- 
ments of  steam  flow  and  steam  pressure  into  a  neutron  flux  level  set- 
point  for  the  secondary  or  inner  loop. 


r  -  - — 1 

i   Computer  j 

Outer 
Loop 


Feed  Pump 


Figure  4-2 
Schematic  of  Kanupp  Outer  Loop 
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The  inner  loop,  shown  in  Figure  4-3,  adjusts  reactivity  by  manip- 
ulating the  moderator  level  control  valve  to  maintain  the  neutron  flux 
level  at  the  value  demanded  by  the  outer  loop.   The  variables  monitored 
by  the  inner  loop  are  linear  neutron  flux  (LIN  N) ,  log  neutron  flux 
(LOG  N) ,  rate  of  change  of  log  neutron  flux  (RATE  LOG  N)  and  moderator 
level  (H)  all  of  which  are  employed  in  the  control  equations. 

A  third  loop  monitors  the  moderator  level  and  adjusts  reactivity 
using  the  control  rods  to  force  the  inner  loop  to  maintain  the  modera- 
tor level  in  the  control  region  at  the  top  of  the  calandria. 
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Figure  4-3 
Schematic  of  Kanupp  Inner  Loop 
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The  control  equations  were  developed  using  an  analog  computer  pro- 
grammed to  simulate  the  reactor,  boiler  and  turbine.   These  equations 
were  optimized  to  provide  stable  control  under  all  plausible  conditions, 
taking  advantage  of  the  capabilities  of  the  digital  computer  which  make 
practical  the  inclusion  of  non-linear  compensation. 

The  open  loop  cross-over  frequencies  of  the  control  loops  were  then 
determined  and  a  bandpass  filtering  circuit  was  devised  which  would 
eliminate  disturbances  from  noise.   The  filtering  circuit  was  designed 
so  that  the  total  phase  lag  introduced  by  sampling  and  filtering  at  the 
open-loop  cross-over  frequency  of  the  system  was  limited  to  8  degrees. 

The  completed  power  plant  is  now  operating  satisfactorily  at  rated 
power  although  the  control  program  required  some  modification  during 
commissioning  in  1972.  19 

DUNGENESS  B  (GREAT  BRITAIN) 

The  United  Kingdom  Central  Electricity  Generating  Board  has  comput- 
ers in  all  of  its  nuclear  power  stations.12  The  Dungeness  B  station, 
which  is  currently  being  commissioned,  uses  two  660  MWe  advanced  gas- 
cooled  reactors  (AGR)  each  of  which  has  an  independent  computer  sys- 
tem. 11»12»2  °   The  computer  system  is  a  logical  development  of  the  Wylfa 
system  but  greater  reliance  is  placed  upon  the  computer.   The  reliabil- 
ity of  the  basic  computer  system  was  therefore  improved  by  providing  a 
common  standby  central  processing  unit  (CPU)  which  could  automatically 
replace  the  defective  CPU  of  either  reactor-turbine  unit.   The  standby 
CPU  would  normally  be  available  for  off-line  calculations.   The  block 
diagram  is  shown  in  Figure  4-4. 

The  data  processing  functions  performed  at  the  Wylfa  station  are 
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likewise  performed  at  the  Dungeness  B  station  and  additional  processing 
and  control  functions  are  provided.   The  facilities  which  are  in  addi- 
tion to  those  of  the  Wylfa  station  are  an  increased  degree  of  alarm 
analysis,  a  comprehensive  fault  identification  system  and  the  following 
automatic  control  functions: 

(1)  Reactor  start-up, 

(2)  Reactor  zone  control,  and 

(3)  Reactor  flux  scanning. 

The  purpose  of  alarm  analysis  is  to  condense  the  information  pre- 
sented to  the  operator  to  that  which  he  needs  to  know  for  immediate 
action  while  filtering  out  extraneous  signals  which  are  incidental  to 
the  action  required.   The  results  of  the  analysis  are  displayed  in  plain 
language  on  a  CRT.   Signals  derived  both  from  the  digital  alarm  inputs 
and  from  analog  input  scanning  routines  are  logically  combined  where 
necessary  in  the  processing  system  with  plant  state  signals  derived  from 
further  digital  and  analog  inputs  to  give  valid  alarm  signals.   The 
valid  alarm  signals  are  displayed  immediately  upon  detection  on  the  unit 
operator's  alarm  display  CRT. 

A  fault  identification  routine  is  then  initiated  whereby  the  valid 
alarm  signals  are  processed  according  to  the  requirements  of  stored 
alarm  causation  trees.   The  output  from  the  causation  analysis  identifi- 
es one  or  more  alarm  signals  as  a  prime  cause  alarm  for  any  particular 
pattern  of  alarm  inputs.   This  data  is  provided  to  the  operator  by  means 
of  the  CRT  display  and  is  automatically  printed  on  the  log  printer. 

The  automatic  control  of  the  reactor  during  start-up  is  initiated 
by  the  operator  after  he  manually  energizes  the  circulator  motors  and 
completely  withdraws  the  trim  and  zone  rods. 
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The  data  processing  system  then  initiates  the  withdrawal  of  the 
rod  banks  while  monitoring  three  pulse  channel  power  levels  and  period 
signals.   The  withdrawal  of  the  rod  banks  is  stopped  if  an  abnormality 
occurs.   In  this  case  manual  intervention  is  required  to  initiate  the 
program  after  correction  of  the  abnormality. 

As  criticality  is  approached  the  start-up  program  is  discontinued 
and  the  rod  banks  are  adjusted  to  bring  the  reactor  to  the  desired 
reactor  period.   When  the  reactor  period  has  been  stablized  in  the 
required  range,  further  rod  bank  movement  is  stopped  and  the  neutron 
density  continues  to  diverge  at  the  established  rate  until  the  prede- 
termined flux  level  is  reached. 

When  the  required  level  of  neutron  flux  has  been  reached,  and  the 
rate  of  rise  of  the  coolant  outlet  temperature  is  sufficient  to  demand 
an  initial  downward  movement  of  the  zone  rods,  the  zone  control  program 
is  initiated  and  the  movement  of  the  zone  rods  is  automatically  started 
by  the  reactor  zone  controller.   This  continues  until  the  zone  control- 
ler has  increased  the  reactor  channel  gas  outlet  temperature  at  a  pre- 
determined rate  up  to  the  initial  desired  level. 

The  zone  control  program  and  reactor  start-up  program  maintain  the 
reactor  in  a  stable  condition  by  continuous  control  of  the  zone  rod 
position  and  intermittent  movement  of  the  rod  banks  until  the  rod  banks 
are  fully  withdrawn  or  the  operator  selects  the  manual  mode  of  operation. 

A  large  reactor  tends  to  require  control  against  spatial  instabil- 
ities and  in  this  case  the  reactor  is  divided  into  five  zones  each  of 
which  is  controlled  by  an  individual  control  rod.   The  control  rod  is 
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part  of  a  servo  loop  which  keeps  the  average  channel  gas  outlet  temper- 
ature constant  in  each  zone  for  a  given  power  level.   Thus  zone  control 
is  a  part  of  the  overall  station  control  system  and  the  desired  value 
of  the  reactor  gas  outlet  temperature  can  be  made  to  vary  in  such  a 
manner  as  to  control  the  boiler  outlet  steam  temperature.   The  zone  gas 
outlet  and  steam  temperatures  are  controlled  by  cascaded  digital  con- 
trollers. 

For  core  performance  calculations  and  for  estimates  of  maximum 
fuel  element  temperature,  it  is  necessary  to  know  the  axial  flux  shape. 
This  is  measured  in  the  reactor  by  pneumatically  transporting  miniature 
ball  bearings  into  nine  totally  enclosed  vertical  steel  tubes  at 
different  radial  positions  in  each  reactor  core.   Each  column  of  balls 
corresponding  to  the  height  of  the  reactor  core  is  irradiated  for  a 
predetermined  period.   The  balls  are  then  pneumatically  transferred 
from  the  reactor  for  measurement  of  power  distribution  by  an  annular  ion 
chamber  and  amplifier.   The  balls  are  retained  in  the  ion  chamber  for 
subsequent  storage.   Axial  in-core  flux  shapes  are  determined  using  this 
equipment  which  is  controlled  automatically  by  the  reactor  flux  scan- 
ning program. 

The  data  processing  system  at  the  Dungeness  B  station  is  currently 
operational  and  is  being  used  for  the  testing  and  checkout  of  the 
station  during  commissioning.   The  station  is  expected  to  be  operational 
in  1975. 

Numerous  software  difficulties  have  been  encountered  in  this 
installation  resulting  in  extensive  cost  increases.   The  programming 
effort  in  preparing  the  software  for  the  Dungeness  B  computer  system 
amounted  to  30  man-years.16 
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HINKLEY  B  (GREAT  BRITAIN) 

The  Hinkley  B  nuclear  power  station  in  Great  Britain  is  currently 
being  commissioned  and  is  expected  to  be  in  operation  by  December 
1974.   '    This  power  plant  also  uses  dual  advanced  gas- cooled 
reactors. 

The  functions  provided  by  the  computer  system  at  the  Hinkley  B 
station  are  very  similar  to  those  at  the  Dungeness  B  station  but  in 
this  case  the  computer  system  is  more  sophisticated.   Basically  the 
computer  configuration  used  in  the  Dungeness  B  station  specified  the 
use  of  a  single  highway  for  each  reactor  unit,  whereas  the  Hinkley  B 
plant  has  two  highways  for  each  reactor  unit  and  each  highway  can  be 
automatically  switched  to  either  the  unit  computer  or  the  standby 
computer.   Additionally,  the  number  of  inputs  and  outputs  interfacing 
with  the  processing  system  differ  at  each  station.   The  Hinkley  B 
plant  is  expected  to  operate  in  the  manner  previously  described  for 
the  Dungeness  B  station. 

HARTLEPOOL  (GREAT  BRITAIN) 

The  newest  computer  configuration  to  be  used  at  a  nuclear  power 
station  in  Great  Britain  is  currently  being  manufactured  for  the 
Hartlepool  station  which  is  planned  to  be  fully  operational  in 
1976. '  l ' 12 ' 21 ,22   This  station  will  employ  twin  advanced  gas-cooled 
reactors  each  of  which  will  produce  660  MWe. 

This  station  will  rely  upon  on-line  data  processing  systems  to 
provide  data  displays,  logs  and  extensive  direct  digital  control.   A 
new  concept  which  was  introduced  in  the  design  of  this  system  is  that 
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the  scanning  equipment  is  local  to  the  plant  areas  which  reduces  the 
amount  of  cabling  that  would  otherwise  be  required. 

The  data  processing  system  provides  facilities  for  two  reactor, 
boiler,  turbine  and  generator  units.   Associated  with  each  unit  is  one 
computer  and  a  block  of  input  and  output  equipment.   This  provides 
2,560  analog  inputs,  2,350  contact  inputs,  384  relay  outputs,  7  CRT 
display  units  and  various  teleprinters,  paper  tape  punches  and  tape 
readers.   The  third  computer  acts  as  a  standby  to  either  of  the  main 
units.   When  the  standby  computer  is  not  on-line,  it  is  used  for 
maintenance  purposes.   A  schematic  of  the  computer  configuration  is 
provided  in  Figure  4-5. 

The  computer  configuration  permits  the  independent  switching  of 
any  of  the  4  blocks  of  input  and  output  devices  between  the  unit  CPU 
and  the  standby  CPU.   Each  unit  computer  is  programmed  with  an  auto- 
matic switching  program  known  as  the  watchdog  timer  which  provides 
automatic  central  control  of  the  highway  block  switching  function. 
By  using  these  switching  techniques  a  very  low  overall  system  failure 
rate  is  anticipated.   A  failure  rate  leading  to  a  reactor  shutdown 
is  predicted  to  be  less  frequent  than  once  in  20  years. 

The  reactor  and  plant  performance  entails  complex  interacting 
control  requirements  and  the  control  loops  are  non-linear.   In  this 
system  the  computer  controls: 

(1)  Reactor  gas  outlet  temperature,  by  varying  the  position  of 
any  of  37  rods, 

(2)  Reactor  gas  inlet  temperature  from  8  boiler  units,  by 
varying  gas  flow, 

(3)  Boiler  feedwater  flows,  by  altering  turbine  drive  or 
electrically  driven  feed  pumps, 
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Hartlepool  Computer  Configuration  Schematic 
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(4)  Main  turbine  steam  pressure  by  varying  the  throttle  valves, 
and 

(5)  Integration  of  those  control  functions  providing  frequency 
compensation,  reactor  rod  bank  trimming  and  load  scheduling. 

Station  start-up  is  controlled  by  the  computer  in  phases,  cover- 
ing rod  withdrawal  to  criticality,  automatic  flux  control,  initiation 
of  boiling  followed  by  turbine  driven  feed  pump  run-up  and  takeover 
from  electric  pumps,  main  turbine  run-up,  synchronization  and  block 
loading,  and  transfer  to  full  power  under  automatic  control. 


DOUGLAS  POINT  (CANADA) 

The  first  step  toward  computer  control  in  a  Canadian  nuclear  power 

plant  was  taken  at  the  Douglas  Point  power  station,  a  200  MWe  unit 

which  employs  a  pressure-tube  heavy  water  reactor.   *   ' 

At  Douglas  Point  a  single  computer  performs  the  following 
functions: 

(1)  Fuel  channel  temperature  monitoring, 

(2)  Reactor  flux-tilt  control, 

(3)  Alarm  scanning,  checking  and  logging, 

(4)  Station  hourly  log, 

(5)  Fuel  channel  temperature  log, 

(6)  Trend  log, 

(7)  Display  of  variables,  and 

(8)  Xenon  poisoning  monitoring. 

The  computer  was  introduced  into  the  system  as  shown  in  Figure  4-6. 
Two  major  control  loops  are  indicated.  An  analog  system  is  used  for 
fast  power  regulation,  whereby  a  combination  of  ion  chamber  and  ther- 
mal signals  control  the  reactivity  by  means  of  moderator  level 
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adjustment.   A  direct  digital  control  loop  is  used  to  counteract  any 
flux  tilt.   It  adjusts  the  position  of  mechanical  absorbers  in  response 
to  temperature  sensors  that  provide  a  measurement  of  radial  power 
distribution.   Additionally,  a  minor  control  loop  permits  the  computer 
to  adjust  the  power  level  demand.   The  computer  is  programmed  to  take 
into  account  the  electrical  output  required  by  the  power  distribution 
system  and  any  power  limiting  factors  imposed  by  the  station  itself. 

Another  important  feature  is  the  connection  to  the  reactor  safety 
system.   In  this  design  the  computer  may  be  used  to  shutdown  the 
reactor  if  a  dangerous  condition  exists.   This  circuitry  is  in  addition 
to  the  independent  safety  system  which  is  described  in  section  V. 
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Douglas  Point  Computer  Control  System 
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Failure  of  the  computer  in  the  Douglas  Point  system  does  not  force 
a  reactor  shutdown  and  manual  operation  is  possible  but  at  the  expense 
of  a  greater  work  load  for  the  operating  staff. 

The  performance  of  the  computer  system  at  this  station  has  been 
reliable  with  system  availabilities  greater  than  99.92  percent. 

PICKERING  (CANADA) 

The  Pickering  station  was  the  next  nuclear  power  station  built  in 
Canada  which  is  heavily  committed  to  computer-based  control  and  instru- 

O  O    o  h    OK  Od 

mentation  systems.   '   '   '    The  station  has  four  pressure-tube 
reactors  which  use  natural  uranium  fuel  with  a  heavy  water  moderator 
and  coolant.   Each  unit  is  capable  of  producing  a  net  power  output  of 
500  MWe.   Three  of  these  units  are  producing  their  rated  power  at  the 
present  time  and  the  fourth  unit  is  being  started.   Each  generating 
unit  has  two  fuelling  machines  for  changing  fuel  while  operating  at 
full  power. 

Reliability  of  the  Pickering  control  system  is  of  paramount 
importance  both  for  cost  and  safety  considerations.  To  meet  this  relia- 
bility requirement,  a  dual  computer  system  design  was  selected  which 
would  provide  complete  redundancy  at  each  unit.   All  functions  that 
are  essential  to  the  operation  of  the  unit  are  fully  duplicated  in 
both  computers.   The  dual  computer  systems  are  identical  except  for 
the  number  of  process  inputs  and  outputs. 

The  dual  computer  approach  chosen  was  to  have  one  computer  oper- 
ating as  the  normal  control  system  with  the  other  taking  on  the  role  of 
an  operating  standby.   Both  computers  have  their  inputs  connected  all 
of  the  time  and  both  function  as  though  they  are  controlling  but  only 
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the  normal  system  has  its  outputs  connected  to  the  controlling  element. 
A  block  diagram  of  one  half  of  the  computer  system  is  shown  in  Figure 
4-7. 

The  reactor  regulating  system  shown  in  Figure  4-8  determines  the 
power  produced  from  two  different  sets  of  flux  measurements.   Ion 
chambers  are  used  below  15  percent  of  full  power  and  in-core  flux 
detectors  are  used  above  15  percent  of  full  power.   The  programs  have 
direct  digital  control  over  14  light  water  compartment  absorbers,  18 
adjuster  rods,  11  shutoff  rods  and  4  moderator  level  control  valves. 
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The  reactor  is  divided  into  14  zones  to  counteract  the  spatial 
variation  due  to  xenon  poisoning.   In  the  middle  of  each  zone  there  is 
a  compartment  that  can  be  filled  with  light  water  and  by  the  automatic 
adjustment  of  the  valve  on  the  light  water  inlet  the  level  in  the  com- 
partment can  be  controlled  and  hence  the  neutron  absorption  can  be 
controlled.   These  absorbers  are  actuated  independently  in  response  to 
in-core  flux  detectors  that  measure  local  perturbations  or  they  are 
actuated  in  unison  as  a  bulk  reactivity  control  when  a  power  alteration 
is  required. 

In  addition  to  reactor  power  control  the  computer  performs  the 
following  functions: 

(1)  Boiler  pressure  control, 

(2)  Control  of  reactor  warm-up  and  cooldown, 

(3)  Control  of  loading  rate  of  the  turbine, 

(4)  Control  of  the  turbine  run-up  and  preliminary  checks, 

(5)  Control  of  generator  power  output, 

(6)  Control  of  refuelling  and  sequencing, 

(7)  Alarm  annunciation  in  main  control  room, 

(8)  Monitoring  of  fuel  channel  temperature, 

(9)  Continuous  calculation  of  xenon  poison  concentration, 

(10)  Data  logging  and  trend  recording,  and 

(11)  Plant  performance  calculations. 

At  the  Pickering  station  there  was  complete  operator  acceptance  of 
the  computers  and  the  functions  necessary  for  plant  operation  since  the 
plant  cannot  operate  for  any  length  of  time  without  them.   The  execu- 
tive program  which  provides  the  main  timing  for  the  system  was  subject 
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to  a  large  number  of  refinements.   One  of  the  main  problems  was  that 
the  three  timers  used  for  timing  control  were  all  connected  to  the  same 
interrupt  level  and  could  not  be  separated.   Thus  it  took  certain 
combinations  of  functions  to  occur  in  certain  sequences  to  cause  a 
fault.   This  problem  has  subsequently  been  corrected. 

Some  programming  difficulty  has  also  been  observed  with  the  CRT 
alarm  display.   The  alarm  messages  were  too  abundant,  lengthy  and 
difficult  to  read.   Consequently  the  alarm  analysis  and  display  pro- 
grams were  modified  to  increase  the  usefulness  of  the  CRT  display. 

There  have  been  three  cases  in  which  a  unit  has  been  shutdown  due 
to  a  computer  system  failure.   In  the  first  case  a  hardware  fault 
induced  by  lack  of  air  conditioning  caused  the  master  computer  to  halt 
and  transfer  control  to  the  standby  computer.   During  the  process  a 
relay  failed  to  close  (presumably  for  the  same  temperature  problem) . 
The  second  outage  was  caused  by  a  combination  of  hardware  and  software 
faults.   The  third  outage  occurred  when  a  failed  digital  output  relay 
caused  a  turbine  run-back  to  be  initiated  and  the  power  was  decreased 
to  2  percent.   In  each  case  the  problems  were  identified  quickly  and 
the  plant  was  restored  to  operating  power  levels  before  the  xenon 
concentration  became  inhibitive. 

The  computer  systems  have  provided  successful  and  flexible  direct 
control.   They  have  considerably  reduced  the  commissioning  times  of  the 
three  Pickering  units  and  met  the  requirements  for  reliable  power 
production. 2k 
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GENTILLY  (CANADA) 

The  Gentilly  power  station  started  producing  its  rated  power,  250 
MWe,  in  May  1972. 27  The  reactor  uses  natural  uranium  fuel  with  a  heavy 
water  moderator  and  is  cooled  by  boiling  light  water. 

As  in  the  Pickering  station,  the  computer  system  for  the  Gentilly 
reactor  exercises  direct  digital  control  of  many  vital  functions  as 

0   3   9  7   9  A 

indicated  in  Figure  4-9.   >   »    The  dual  computer  approach  discussed 
previously  is  used  at  this  station  to  assure  that  the  computer  system 
has  a  high  reliability. 

The  coarse  adjustment  of  reactivity  for  large  power  alterations 
is  achieved  by  direct  computer  control  of  16  booster  rods.   Six 
coolant  flow  valves  are  also  controlled  as  a  function  of  power. 


(crt) — 


Computer 


T 


Steam  Pressure 

Steam  Flow, 

Power  Demand/ 

Electrical 

Output 


Instrumented  Channels 


Absorber  Rod  Drives  (7) 


Booster  Rod  Drives  (16)  >i-i.I_3 


Ion  Chambers  (3) 


In-Core  Flux  Detectors 


Flow  Control 


4 


Reactor 
Q 


Water 

Flow 

Orific_e_ 


Two  Phase 
Flow  Orifice 


Figure  4-9 
Gentilly  Computer  Control  System 
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Continuous  regulation  of  reactor  power  is  done  by  the  automatic 
adjustment  of  seven  absorber  rods  which  are  driven  in  and  out  of  the 
reactor  by  means  of  digital  stepping  motors.   The  seven  absorber  rods 
are  distributed  among  seven  zones  in  the  reactor  core  to  maintain 
spatial  control  of  the  reactor.   The  rods  move  together,  for  bulk 
control,  in  response  to  a  combination  of  ion  chamber  and  thermal  signals 
but  can  be  moved  independently  to  achieve  spatial  control. 

Signals  for  spatial  control  are  obtained  from  forty  fuel  channels 
that  are  instrumented  with  inlet  and  outlet  flow  measuring  orifices. 
Steam  quality  and  hence  channel  power  is  derived  from  these  measure- 
ments. 

A  CRT  display  is  incorporated  into  the  system.   The  display 
provides  time- amplitude  traces,  bar  graphs,  absorber  and  booster  rod 
positions,  alpha-numeric  messages  and  power  distribution  plots. 

Flux  tilt  control  difficulties  were  encountered  during  commission- 
ing and  after  modifying  the  computer  programs  and  installing  a  flux 
tilt  protective  system  the  computer  system  functioned  properly. 

BRUCE  (CANADA) 

Bruce  is  a  four  unit  generating  station  with  a  nominal  rating  of 
800  MWe  per  unit.25  Each  unit  has  a  pressure-tube  reactor  with  a  heavy 
water  moderator  and  coolant.   The  scheduled  in-service  dates  are  unit 
2,  September  1,  1976;  unit  1,  June  1,  1977;  unit  3,  June  1,  1978;  unit 
4,  June  1,  1979. 

A  schematic  of  one  half  of  the  computer  system  is  shown  in  Figure 
4-10.   The  design  approach  for  this  computer  system  was  essentially 
the  approach  used  at  the  Pickering  station,  both  with  regard  to  the 
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dual  computer  concept  and  to  the  process  functions  performed  by  the 
computer.   In  the  broad  areas  of  control,  alarm,  and  data  logging,  the 
computer  system  performs  the  following  functions: 

(1)  Reactor  power  regulation,  implemented  by  means  of  a  number  of 
programs,  each  dedicated  to  a  specific  regulating  task  as  the 
regulating  needs  of  the  plant  might  dictate, 

(2)  Boiler  pressure  control,  attained  normally  by  varying  the 
reactor  power  setpoint,  but  occasionally,  as  the  need  arises, 
by  operating  the  steam  discharge  valves, 

(3)  Unit  power  regulation,  consisting  of  two  distinct  functions: 
to  regulate  the  rate  of  plant  warm-up  and  boiler  pressure,  and 
to  adjust  the  setpoint  of  the  reactor  power  regulating  sub- 
system which  controls  the  electrical  output  of  the  unit, 

(A)   Turbine  run-up,  consisting  of  an  extensive  set  of  preliminary 
checks  and  of  a  program  that  will  run-up  the  turbine  to 
speed  in  the  shortest  possible  time  consistent  with  the 
restraints  imposed  by  the  turbine  manufacturer, 

(5)  Alarm  annunciation,  consisting  of  the  monitoring  and  analysis 
of  all  major  alarms  on  the  unit,  and 

(6)  Data  logging,  designed  to  produce  periodic  station  and  unit 
logs,  as  well  as  trend  reports. 

As  mentioned  previously,  the  design  approach  of  the  processing 
system  is  similar  to  the  design  approach  used  at  the  Pickering  station. 
The  truly  innovative  aspect  of  the  Bruce  system  is  its  man-machine 
subsystem.   Improvements  were  necessary  in  this  area  due  to  the 
increased  size  and  complexity  of  the  plant  which  dictates  more  frequent 
interaction  between  the  operator  and  the  plant  control  and  instrumen- 
tation system. 

The  computer-driven  CRT  display  system  being  designed  for  each 
unit  of  the  generating  station  consists  of  ten  CRT  monitors  driven  by 
two  controllers,  eight  keyboards  and  two  high  speed  printers.   The 
processing  system  can  control  up  to  eight  monitors  each  of  which  has  a 
vertical  raster  similar  to  a  television  receiver.   The  characters  are 
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normally  generated  from  dot  matrices.   The  alpha-numeric  and  graphic 
characters  can  be  individually  added  or  deleted. 

All  analog  inputs  connected  to  either  of  the  two  unit  control 
computers  can  have  their  values  displayed  on  any  CRT  monitor  except  the 
alarm  annunciation  monitor.   A  group  of  related  inputs  can  be  displayed 
together  for  visual  analysis  and  correlation. 

SAINT  LAURENT  (FRANCE) 

Digital  computers  are  also  used  at  the  Saint  Laurent  nuclear  power 
station  to  control  the  setpoints  of  an  analog  controller  which,  in 
turn,  adjusts  the  reactivity  of  the  plant.28  This  system  also  uses 
redundancy  to  obtain  the  necessary  reliability.   Additional  details 
concerning  the  control  of  the  plant  are  not  available  to  the  author. 
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V.   SAFETY  SYSTEMS 


All  of  the  modern  nuclear  power  stations  in  service  today  use  a 
safety  system  which  is  independent  of  any  computer  application  although 
there  is  a  definite  trend  to  include  a  process  computer  in  the  safety 
systems  in  some  of  the  new  nuclear  power  stations  being  built  in 
Germany. 3 

The  conventional  safety  systems  utilize  relay  logic  or  solid-state 
logic  to  trip  the  reactor.   A  block  diagram  of  a  typical  modern  safety 
system  is  shown  in  Figure  5-1. 7 


Analog 

Protection 

System 


Solid-State  Logic 

X 


Relays 


Actuate 
Train  B 
Safeguards 


Computer 


Actuate 

Train  A 
Safeguards 


_n 


Rod 
Drive 
System 


Trip 


Bypass 
B 


PC 


Trip  a 
B 


X 


A 
A' 


Bypass 
A 


Rod 
Control 
tf-G  Set 


Figure  5-1 

Blcok  Diagram  of  Channelized  Safety  System 

(Sequoyah  Nuclear  Power  Station) 


49 

In  this  design  the  instrumentation  system  measures  dominant  nuclear 
plant  process  variables  which  include  primary  system  pressures,  flows 
and  levels,  nuclear  and  thermal  power,  and  secondary  plant  pressures, 
flows  and  levels.   The  final  device  in  the  analog  channel  is  a  bistable 
device  which  serves  as  the  input  to  the  logic  channels.   As  shown  in 
Figure  5-1,  the  reactor  is  tripped  when  the  electrical  power  to  the 
control  rod  drive  mechanism  is  interrupted  by  either  of  two  series 
connected  trip  breakers.   Two  logic  trains  (A  and  B)  are  provided.   Each 
train  is  associated  with  one  of  the  trip  breakers.   The  logic  train 
accepts  on  or  off  signals  from  the  bistable  device,  performs  the 
required  logic  and  actuates  its  associated  trip  breaker.   In  the  event 
of  a  dangerous  operating  state  the  reactor  is  automatically  tripped. 
The  only  function  the  computer  serves  with  regard  to  the  safety  system 
is  to  monitor  the  status  of  the  alarms  and  provide  alarm  annunciation. 

The  use  of  computers  has  been  extended,  however,  in  the  design  of 
two  nuclear  power  stations  which  are  being  built  in  Germany,  the 
Brunsbiittel  and  the  Philippsburg  nuclear  power  stations.2  These 
stations  have  boiling  water  reactors  and  are  scheduled  to  be  in  service 
in  1975. 

The  design  of  this  new  safety  system  requires  the  use  of  three 
single  purpose  computers.   All  of  the  analog  and  binary  signals  (48  and 
168  signals  respectively)  are  scanned  with  a  cycle  time  of  30  milli- 
seconds in  each  of  the  three  computers.   After  analog  to  digital  conver- 
sion, the  analog  signals  are  tested  for  non-transgression  of  a  toler- 
ance band  and  limit  values.   All  transgressions  are  stored,  as  are  also 
all  non-permissible  combinations  of  binary  signals.   These  entries  are 
evaluated  by  another  program  and,  depending  upon  the  circumstances, 
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result  in  a  reactor  trip  which  is  triggered  directly  by  the  computer 
after  an  increase  in  the  length  of  the  computer  pulses  from  80  micro- 
seconds to  50  milliseconds.   This  safety  system  is  currently  being 
evaluated  on  the  Halden  reactor  in  Norway. 3 
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VI.   CONCLUSIONS 

A  summary  of  the  computer  monitoring  and  control  functions  for  each 
of  the  nuclear  power  stations  previously  discussed  is  provided  in  Tables 
6-1  and  6-2  respectively.   The  functions  which  are  automatically  per- 
formed at  each  station  are  indicated  by  an  asterisk  (*)  and  those 
functions  which  are  not  applicable  for  the  type  of  reactor  being  con- 
sidered are  indicated  by  a  dash  (-) . 

Tables  6-1  and  6-2  show  a  definite  trend  toward  a  high  degree  of 
automation  in  the  control  of  nuclear  power  stations.   Completely  auto- 
matic control  systems  are  now  in  existence.   Although  the  software 
development  for  the  automated  systems  is  a  costly,  tumultuous  task  it 
has  been  shown  at  several  automated  power  stations  now  in  operation 
that  the  performance  of  the  computer  monitoring  and  control  systems  has 
greatly  simplified  the  plant  operations  and  therefore  improved  the 
safety  of  the  power  plant. 8' 12 ' l 8' 24 

France,  Great  Britain  and  Canada  are  now  heavily  committed  to  the 
use  of  direct  digital  control  systems  for  their  reactors,  and  extensive 
research  involving  digital  control  systems  is  being  conducted  in  the 
United  States,  Belgium,  Switzerland  and  Japan.3'5'6'30 

The  special  purpose  computer  is  now  planned  to  be  used  in  the  safe- 
ty system  of  two  German  reactors  because  of  its  flexibility  in  analyzing 
the  analog  data  and  its  self-checking  features. 

In  the  United  States  new  multiplexing  designs  for  power  reactors 
are  being  evaluated.31  A  distinguishing  feature  of  these  designs  is  the 
ability  to  incorporate  changes  which  would  enable  the  use  of  a  computer 
for  digital  control  at  some  future  date. 
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The  liquid  metal  fast  breeder  reactor  currently  being  developed 
in  the  United  States  will  use  approximately  1,000  in-core  monitoring 
devices  to  assure  the  safety  and  the  availability  of  the  plant. 32  » 33 » 3I* 
The  handling  of  the  data  from  these  sensors  seems  feasible  only  by  a 
computer,  in  which  case,  the  control  requirements  would  be  carefully 
reviewed  to  determine  the  amount  of  automation  that  is  necessary.   Thus 
it  is  possible  that  the  breeder  reactor  would  have  a  significant  degree 
of  automation. 

In  view  of  the  recent  strides  in  automation  of  nuclear  power  plants 
coupled  with  the  improvements  to  be  gained  in  the  areas  of  plant 
efficiency  and  safety  it  is  envisioned  that  the  United  States  will 
eventually  develop  a  fully  automatic  nuclear  power  station. 
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